oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: invalid curve attack on bouncycastle

From: Raphael Hertzog <hertzog () debian org>
Date: Thu, 22 Oct 2015 12:25:12 +0200
Hello,

bouncycastle versions older than 1.51 are vulnerable to an
invalid curve attack as described in this article:
http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

The attack allows to extract private keys used in elliptic curve
crytpography with a few thousands queries.

According to upstream developer Peter Dettman, the issue has been fixed
with those two commits:
https://github.com/bcgit/bc-java/commit/5cb2f05
https://github.com/bcgit/bc-java/commit/e25e94a

Could a CVE be assigned to this issue?

Thank you.

PS: Please CC me as I'm not subscribed.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Previous By Date Next
Previous By Thread Next

Current thread: